-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.10
-
No
-
Moderate
-
rhel-sst-openshift
-
None
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
None
-
None
-
-
All
-
None
What were you trying to do that didn't work?
A customer is trying to setup keepalived in a network namespace name "LB".
When SELinux is in Enforcing mode, the service fails to start because of the following AVC denial:
type=PROCTITLE msg=audit(10/25/2024 11:48:05.873:172) : proctitle=/usr/sbin/keepalived -D type=PATH msg=audit(10/25/2024 11:48:05.873:172) : item=0 name=/run/keepalived/ inode=74382 dev=00:18 mode=dir,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:keepalived_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(10/25/2024 11:48:05.873:172) : cwd=/ type=SYSCALL msg=audit(10/25/2024 11:48:05.873:172) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x5601a764db18 a2=O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW a3=0x1a4 items=1 ppid=1 pid=4548 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) type=AVC msg=audit(10/25/2024 11:48:05.873:172) : avc: denied { dac_override } for pid=4548 comm=keepalived capability=dac_override scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=capability permissive=0
Here above a dac_override AVC is seen when creating /run/keepalived/LB directory.
This occurs because the parent directory, /run/keepalived got 0600 permissions when getting created by mkdir, despite being created with 0755 permissions, as seen in the strace:
3186 [system_u:system_r:keepalived_t:s0] 11:39:16.022254 mkdir("/run/keepalived/", 0755) = 0 <0.000013> : 3186 [system_u:system_r:keepalived_t:s0] 11:39:16.023593 mkdir("/run/keepalived/LB", 0755) = -1 EACCES (Permission denied) <0.000119>
The exact reason is keepalived applies a 0177 mask early during startup:
3186 [system_u:system_r:keepalived_t:s0] 11:39:16.018792 umask(0177) = 022 <0.000005>
Through applying this mask, 0755 becomes 0600, preventing the /run/keepalived directory from being executable, hence causing the dac_override in the end.
Corresponding source code is:
66 mode_t umask_val = S_IXUSR | S_IRWXG | S_IRWXO; 2043 /* Entry point */ 2044 int 2045 keepalived_main(int argc, char **argv) 2046 { : 2085 /* Set default file creation mask */ 2086 umask(umask_val);
This mask is either not correct, or should be amended when creating /run/keepalived is Network Namespace creation:
222 static void 223 set_run_mount(const char *net_namespace) 224 { : 235 if (mkdir(mount_dirname, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) && errno != EEXIST) { 236 log_message(LOG_INFO, "Unable to create directory %s", mount_dirname); 237 free_dirname(); 238 return; 239 } :
What is the impact of this issue to you?
Cannot start keepalived when configuring a network namespace
Please provide the package NVR for which the bug is seen:
keepalived-2.1.5-9.el8
How reproducible is this bug?:
Always
Steps to reproduce
- Start the service with a network namespace configuration, e.g.
net_namespace LB global_defs { router_id 102 # Unique id enable_script_security } vrrp_instance VI_1 { [...] }
Expected results
No failure to start
Actual results
Failure and AVC